3 results found

1. Add the ability to grant impersonate permissions to custom roles

   I want to be able to create a custom role for the admin console users that while given limited permissions through the Application Dictionnary would also be granted the ability to impersonate website users. Currently, the impersonate feature is limited to 4 roles: ISCSystem, ISCImplementer, ISCAdmin, ISCUser. Being able to customize the CanCurrentUserImpersonateAnotherUser method used by the AccountController would give more flexibility.

   7 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   Building  ·  6 comments  ·  Delete…  ·  Admin →

2. Don't show archived websites in CMS editor popup window

   In the admin toolbar, if you click on the icon to "View Website", you will see archived websites when going into CMS Editor.

   We believe those should be either hidden or have a collapsible to now view it.

   In our case it's our old classic websites and we don't want them to show to confuse the client.

   1 vote

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Building  ·  AdminSara Winter (Principal Product Manager, Optimizely) responded

   Great news! Our team has been working on adding this and we anticipate it to be available in May release.

3. Request for an out of the box configuration setting for when sessions are fully expired

   Request for an out of the box configuration setting for when sessions are fully expired:

   • Session Expiration and let the client decide if they would like to redirect to Session Expired Page, or use Overlay with Session Expired Modal on same page.
   • In this setting we could also provide additional sub-setting with ability to enable a session expiration warning (admin can set the number of minutes)

   Incomplete Client-Side Inactivity Timeout: We have two different issues with this vulnerability,
   • If a customer steps away from their system without an automatic logout after a period of inactivity, there is a risk that others may access sensitive information. (They can’t take any action, however they can see all the information on that current page)
   • Customers believe they are still logged in while attempting to check out or submit orders, only to find themselves logged out unexpectedly. This can be frustrating for them.

   This issue was raised as a security vulnerability by security audit team and it’s also customer experience issue (they are not aware of session expiration). This is already in your tracker but it’s mentioned as “Working as Designed.” but it’s a security issue. Please consider this as a security fix.
   Incomplete Client-Side Inactivity Timeout Low When a user’s session expires, their active window is not redirected to a timeout or login page. Any information on the page remains exposed. Working as Designed. This is currently designed behavior on Storefront, any action on a website after session timeout will redirect user to SignIn page.

   Request for an out of the box configuration setting for when sessions are fully expired:

   • Session Expiration and let the client decide if they would like to redirect to Session Expired Page, or use Overlay with Session Expired Modal on same page.
   • In this setting we could also provide additional sub-setting with ability to enable a session expiration warning (admin can set the number of minutes)

   Incomplete Client-Side Inactivity Timeout: We have two different issues with this vulnerability,
   • If a customer steps away from their system without an automatic logout after a period of inactivity, there is… more

   6 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   3 comments  ·  Delete…  ·  Admin →
   Building  ·  AdminSara Winter (Principal Product Manager, Optimizely) responded

   Great news! Our team is anticipating releasing this feature in June 2026. I'll provide another update once the release has been completed.